Conditions | 63 |
Paths | > 20000 |
Total Lines | 183 |
Code Lines | 102 |
Lines | 0 |
Ratio | 0 % |
Changes | 0 |
Small methods make your code easier to understand, in particular if combined with a good name. Besides, if your method is small, finding a good name is usually much easier.
For example, if you find yourself adding comments to a method's body, this is usually a good sign to extract the commented part to a new method, and use the comment as a starting point when coming up with a good name for this new method.
Commonly applied refactorings include:
If many parameters/temporary variables are present:
1 | <?php |
||
6 | function protector_postcommon() |
||
7 | { |
||
8 | global $xoopsUser, $xoopsModule; |
||
9 | |||
10 | // patch for 2.2.x from xoops.org (I know this is not so beautiful...) |
||
11 | if (substr(@XOOPS_VERSION, 6, 3) > 2.0 && false !== stripos(@$_SERVER['REQUEST_URI'], 'modules/system/admin.php?fct=preferences')) { |
||
12 | /* @var XoopsModuleHandler $module_handler */ |
||
13 | $module_handler = xoops_getHandler('module'); |
||
14 | $module = $module_handler->get((int)(@$_GET['mod'])); |
||
15 | if (is_object($module)) { |
||
16 | $module->getInfo(); |
||
17 | } |
||
18 | } |
||
19 | |||
20 | // configs writable check |
||
21 | if (@$_SERVER['REQUEST_URI'] === '/admin.php' && !is_writable(dirname(__DIR__) . '/configs')) { |
||
22 | trigger_error('You should turn the directory ' . dirname(__DIR__) . '/configs writable', E_USER_WARNING); |
||
23 | } |
||
24 | |||
25 | // Protector object |
||
26 | require_once dirname(__DIR__) . '/class/protector.php'; |
||
27 | $db = XoopsDatabaseFactory::getDatabaseConnection(); |
||
28 | $protector = Protector::getInstance(); |
||
29 | $protector->setConn($db->conn); |
||
30 | $protector->updateConfFromDb(); |
||
31 | $conf = $protector->getConf(); |
||
32 | if (empty($conf)) { |
||
33 | return true; |
||
34 | } // not installed yet |
||
35 | |||
36 | // phpmailer vulnerability |
||
37 | // http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/ |
||
38 | if (in_array(substr(XOOPS_VERSION, 0, 12), array('XOOPS 2.0.16', 'XOOPS 2.0.13', 'XOOPS 2.2.4'))) { |
||
39 | /* @var XoopsConfigHandler $config_handler */ |
||
40 | $config_handler = xoops_getHandler('config'); |
||
41 | $xoopsMailerConfig = $config_handler->getConfigsByCat(XOOPS_CONF_MAILER); |
||
42 | if ($xoopsMailerConfig['mailmethod'] === 'sendmail' && md5_file(XOOPS_ROOT_PATH . '/class/mail/phpmailer/class.phpmailer.php') === 'ee1c09a8e579631f0511972f929fe36a') { |
||
43 | echo '<strong>phpmailer security hole! Change the preferences of mail from "sendmail" to another, or upgrade the core right now! (message by protector)</strong>'; |
||
44 | } |
||
45 | } |
||
46 | |||
47 | // global enabled or disabled |
||
48 | if (!empty($conf['global_disabled'])) { |
||
49 | return true; |
||
50 | } |
||
51 | |||
52 | // group1_ips (groupid=1) |
||
53 | if (is_object($xoopsUser) && in_array(1, $xoopsUser->getGroups())) { |
||
54 | $group1_ips = $protector->get_group1_ips(true); |
||
55 | if (implode('', array_keys($group1_ips))) { |
||
56 | $group1_allow = $protector->ip_match($group1_ips); |
||
57 | if (empty($group1_allow)) { |
||
58 | die('This account is disabled for your IP by Protector.<br>Clear cookie if you want to access this site as a guest.'); |
||
|
|||
59 | } |
||
60 | } |
||
61 | } |
||
62 | |||
63 | // reliable ips |
||
64 | $reliable_ips = @unserialize(@$conf['reliable_ips']); |
||
65 | if (is_array($reliable_ips)) { |
||
66 | foreach ($reliable_ips as $reliable_ip) { |
||
67 | if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $_SERVER['REMOTE_ADDR'])) { |
||
68 | return true; |
||
69 | } |
||
70 | } |
||
71 | } |
||
72 | |||
73 | // user information (uid and can be banned) |
||
74 | if (is_object(@$xoopsUser)) { |
||
75 | $uid = $xoopsUser->getVar('uid'); |
||
76 | $can_ban = count(@array_intersect($xoopsUser->getGroups(), @unserialize(@$conf['bip_except']))) ? false : true; |
||
77 | } else { |
||
78 | // login failed check |
||
79 | if ((!empty($_POST['uname']) && !empty($_POST['pass'])) || (!empty($_COOKIE['autologin_uname']) && !empty($_COOKIE['autologin_pass']))) { |
||
80 | $protector->check_brute_force(); |
||
81 | } |
||
82 | $uid = 0; |
||
83 | $can_ban = true; |
||
84 | } |
||
85 | // CHECK for spammers IPS/EMAILS during POST Actions |
||
86 | if (@$conf['stopforumspam_action'] !== 'none') { |
||
87 | $protector->stopforumspam($uid); |
||
88 | } |
||
89 | |||
90 | // If precheck has already judged that he should be banned |
||
91 | if ($can_ban && $protector->_should_be_banned) { |
||
92 | $protector->register_bad_ips(); |
||
93 | } elseif ($can_ban && $protector->_should_be_banned_time0) { |
||
94 | $protector->register_bad_ips(time() + $protector->_conf['banip_time0']); |
||
95 | } |
||
96 | |||
97 | // DOS/CRAWLER skipping based on 'dirname' or getcwd() |
||
98 | $dos_skipping = false; |
||
99 | $skip_dirnames = explode('|', @$conf['dos_skipmodules']); |
||
100 | if (!is_array($skip_dirnames)) { |
||
101 | $skip_dirnames = array(); |
||
102 | } |
||
103 | if (is_object(@$xoopsModule)) { |
||
104 | if (in_array($xoopsModule->getVar('dirname'), $skip_dirnames)) { |
||
105 | $dos_skipping = true; |
||
106 | } |
||
107 | } else { |
||
108 | foreach ($skip_dirnames as $skip_dirname) { |
||
109 | if ($skip_dirname && false !== strpos(getcwd(), $skip_dirname)) { |
||
110 | $dos_skipping = true; |
||
111 | break; |
||
112 | } |
||
113 | } |
||
114 | } |
||
115 | |||
116 | // module can control DoS skipping |
||
117 | if (defined('PROTECTOR_SKIP_DOS_CHECK')) { |
||
118 | $dos_skipping = true; |
||
119 | } |
||
120 | |||
121 | // DoS Attack |
||
122 | if (empty($dos_skipping) && !$protector->check_dos_attack($uid, $can_ban)) { |
||
123 | $protector->output_log($protector->last_error_type, $uid, true, 16); |
||
124 | } |
||
125 | |||
126 | // check session hi-jacking |
||
127 | $masks = @$conf['session_fixed_topbit']; |
||
128 | $maskArray = explode('/', $masks); |
||
129 | $ipv4Mask = empty($maskArray[0]) ? 24 : $maskArray[0]; |
||
130 | $ipv6Mask = (!isset($maskArray[1])) ? 56 : $maskArray[1]; |
||
131 | $ip = \Xmf\IPAddress::fromRequest(); |
||
132 | $maskCheck = true; |
||
133 | if (isset($_SESSION['protector_last_ip'])) { |
||
134 | $maskCheck = $ip->sameSubnet($_SESSION['protector_last_ip'], $ipv4Mask, $ipv6Mask); |
||
135 | } |
||
136 | if (!$maskCheck) { |
||
137 | if (is_object($xoopsUser) && count(array_intersect($xoopsUser->getGroups(), unserialize($conf['groups_denyipmove'])))) { |
||
138 | $protector->purge(true); |
||
139 | } |
||
140 | } |
||
141 | $_SESSION['protector_last_ip'] = $ip->asReadable(); |
||
142 | |||
143 | // SQL Injection "Isolated /*" |
||
144 | if (!$protector->check_sql_isolatedcommentin(@$conf['isocom_action'] & 1)) { |
||
145 | if (($conf['isocom_action'] & 8) && $can_ban) { |
||
146 | $protector->register_bad_ips(); |
||
147 | } elseif (($conf['isocom_action'] & 4) && $can_ban) { |
||
148 | $protector->register_bad_ips(time() + $protector->_conf['banip_time0']); |
||
149 | } |
||
150 | $protector->output_log('ISOCOM', $uid, true, 32); |
||
151 | if ($conf['isocom_action'] & 2) { |
||
152 | $protector->purge(); |
||
153 | } |
||
154 | } |
||
155 | |||
156 | // SQL Injection "UNION" |
||
157 | if (!$protector->check_sql_union(@$conf['union_action'] & 1)) { |
||
158 | if (($conf['union_action'] & 8) && $can_ban) { |
||
159 | $protector->register_bad_ips(); |
||
160 | } elseif (($conf['union_action'] & 4) && $can_ban) { |
||
161 | $protector->register_bad_ips(time() + $protector->_conf['banip_time0']); |
||
162 | } |
||
163 | $protector->output_log('UNION', $uid, true, 32); |
||
164 | if ($conf['union_action'] & 2) { |
||
165 | $protector->purge(); |
||
166 | } |
||
167 | } |
||
168 | |||
169 | if (!empty($_POST)) { |
||
170 | // SPAM Check |
||
171 | if (is_object($xoopsUser)) { |
||
172 | if (!$xoopsUser->isAdmin() && $conf['spamcount_uri4user']) { |
||
173 | $protector->spam_check((int)$conf['spamcount_uri4user'], $xoopsUser->getVar('uid')); |
||
174 | } |
||
175 | } elseif ($conf['spamcount_uri4guest']) { |
||
176 | $protector->spam_check((int)$conf['spamcount_uri4guest'], 0); |
||
177 | } |
||
178 | |||
179 | // filter plugins for POST on postcommon stage |
||
180 | $protector->call_filter('postcommon_post'); |
||
181 | } |
||
182 | |||
183 | // register.php Protection - both core and profile module have a register.php |
||
184 | // There should be an event to trigger this check instead of filename sniffing. |
||
185 | if (basename($_SERVER['SCRIPT_FILENAME']) == 'register.php') { |
||
186 | $protector->call_filter('postcommon_register'); |
||
187 | } |
||
188 | return null; |
||
189 | } |
||
190 |
In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.